Category Archives: SOFTWARE

This well supported hacking tool kit can now be linked to everything from fridges to cars in the search for vulnerabilities.

The popular Metasploit hacking kit has been upgraded to tackle today’s Internet of Things (IoT) devices, granting researchers the opportunity to scour for bugs in modern vehicles.

Rapid7 Research director of transportation security Craig Smith announced on February 2 that the Metasploit framework can now link directly to hardware, permitting users to develop exploits to test their hardware and conduct penetration testing with less time wasted.

It is hoped that researchers will no longer have to build multiple tools to test today’s modern devices and overcome previous network limitations.

“Metasploit condensed a slew of independent software exploits and tools into one framework and now we want to do the same for hardware,” Smith says.

The open-source penetration testing software, available for free or as an extended, paid-for edition, is over a decade old but is still utilized by thousands of researchers worldwide. The framework currently boasts roughly 1,600 exploits and 3,300 penetration testing modules.

Due to the fresh update to the Hardware Bridge API, users are no longer limited to Ethernet network connections. Instead, researchers can build support directly into firmware or create a relay service through a REST API, which is necessary for some hardware tools including Software Defined Radio (SDR) that cannot communicate over Ethernet.

“Every wave of connected devices, regardless of whether you’re talking about cars or refrigerators, blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” said Smith. “We’re working to give security professionals the resources they need to test and ensure the safety of their products, no matter what side of the virtual divide they are on.”

The initial release focuses on IoT, with a particular slant towards automotive penetration testing. The bridge now includes modules for testing vehicle Controller Area Network (CAN) buses and users are also offered interactive commands for gathering information on vehicles being tested, such as speed and inbuilt security systems.

“If you are in security at an automaker, you are challenged to test things that are not exposed to traditional networks,” Smith told Dark Reading. “The hardware bridge allows security teams to add hardware testing to their QA process. It also allows red teams to have a central user interface to all of their hardware tools.”

Additional modules which target embedded, industrial, and hardware devices, including SCADA systems for industrial applications, will be added over time. Rapid7 also plans to add additional BUS systems, such as K-Line, in the future.

Rapid7 is asking users of the initial Metasploit release to provide feedback and suggest new automotive features for future versions.

What began as an attempt to secure TCP/IP in Linux resulted in an enabling an attack vector that can be used to break, or even hijack, Internet connections between Linux and Android systems.

Some days you can’t win for losing. In 2012, Linux implemented a new TCP/IP networking standard, RFC 5961, Improving TCP’s Robustness to Blind In-Window Attacks, to improve security. In the process, they opened up a heretofore unknown security hole. Ironically, other operating systems that lagged in implementing this new “security” mechanism — such as FreeBSD, macOS, and Windows — are immune to this new attack vector.

The latest network attack can be used against any Linux to Linux Internet connection.

This is potentially a big deal because it can be used to break, or even hijack, Internet connections between Linux and Android systems. So, for example, if an Android smartphone connected to USA Today, the connection could be interrupted. The same attack, however, would fail if it were made on a link between a Windows PC and USA Today.

The problem exists in any operating system running Linux kernel 3.6 or newer. Linux 3.6 was introduced in 2012. The vulnerability allows an attacker from anywhere on the Internet to search for connections between a client and a server. Once such a network connection is found, the attacker can invade it, cause connection termination, and perform data injection attacks.

How bad is it? The discoverers say that the attack is fast and reliable, takes less than a minute, and works about 90 percent of the time.

According to University of California at Riverside (UCR) researchers, the Linux TCP/IP security hole can be used by attackers in a variety of ways: Hackers can hijack users’ internet communications remotely, launch targeted attacks that track users’ online activity, forcibly terminate a communication, hijack a conversation between hosts, or degrade the privacy guarantee of anonymity networks such as Tor.

“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out,” said Zhiyun Qian, an UCR assistant professor of computer science. “Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses for victim client and server, which is fairly easy to obtain.”

Adding insult to injury, Qian added, “unlike conventional cyber attacks, users could become victims without doing anything wrong, such as downloading malware or clicking on a link in a phishing email.”

Worse still, the attack vector can be used even against secure connections. While this doesn’t give an attacker the ability to read the encrypted data, it can be used to break a connection or to track who is talking to whom. Against Tor and other anonymizers, an attacker could reset a network connection to force a connection to route through an already hacked relay.

One of the highest-rated “critical” flaws involves a hidden default account with an easily-guessable password in Dell’s Sonicwall Global Management System (GMS), a widely-used software used to centrally monitor and manage an enterprise’s array of networked security devices.

The vulnerability could allow an attacker “full control” of the software and all connected appliances, such as virtual private networking (VPN) appliances and firewalls.

The flaws were detailed in an advisory posted by researchers at Digital Defense, a Texas-based firm that has a commercial stake in the vulnerability scanning business.

However, there’s no evidence to suggest the flaws have been actively exploited by attackers, the researchers said.

Dell acknowledged the flaws affect the most recent versions of the GMS software — versions 8.0 and 8.1 — and issued patches. In a security advisory, the company said it “highly recommends” that admins install the hotfix, available from its support pages.

Commercial spyware is available for mobile devices, including iPhones, Android Smartphones, BlackBerries, and Nokias. Many of the vendors claim that their software and its operation is undetectable on the smartphones after setup is complete. Is this true? Is there a way to identify whether or not some jerk installed spyware on your mobile phone or are you destined to be PWN’d?

This presentation examines the operation and trails left by five different commercial spyware products for mobile devices. Research for both Android and iPhone 4S will be given. A list of results from physical dumps, file system captures, and user files will be presented to show how stealthy the spyware really was. The results from the analysis of the install files will also be presented. From this information a list of indicators will be presented to determine whether or not spyware is on your phone.

Michael Robinson a/k/a Flash, conducts forensic examinations of computers and mobile devices for consulting firm in the Washington, DC area. In addition to his day job, he teaches graduate level courses in computer forensics and mobile device forensics at Stevenson University and George Mason University. Prior to his current consulting gig, Flash conducted computer forensic examinations in support of federal law enforcement. He worked for the Department of Defense for a bunch of years doing IT and forensics work. Flash has been in school forever. Eventually he’ll get smart. He’s building on his Master’s in Computer Forensics with a Doctorate in the same field.

Chris Taylor is a security researcher and teacher that has been doing IT security, incident response, computer forensics, and mobile device forensics for the last 12 years. His experience comes from doing research, not reading research. Imagine that. He makes fun of his co-presenter constantly. He is also a staunch privacy advocate that hates writing bios.

You might be amazed at how accessible hacking tools have become. Your site can be p0wn3d and an entire library of hacking tools downloaded and installed in just a few short minutes. Read this article and be prepared.

The key to how an attacker gains a foothold inside an organization’s network is by being able to — somehow — gain access to accounts and computers inside the firewall. This often happens with malware that’s inadvertently brought inside the firewall by unsuspecting employees.

That malware can be delivered in a wide variety of ways, from phishing attacks where an insufficiently trained or careless user accidentally opens and runs an email attachment, to visiting a website that downloads information onto an insider’s computer.

It’s that second mechanism we’re going to talk about today. When most of us think about malware-infested websites, we usually think about users who visit inadvisable websites, sites that, frankly, most of us should know better than to visit. Someone visiting a porn site or a smartphone jailbreaking site is, almost by definition, visiting a site that is likely to be operated for nefarious purposes.

But it turns out that a great many innocent websites can be carriers for malware. All it takes is an insufficiently protected directory, an unpatched exploit, a poorly chosen FTP password, or even installing a free (but corrupted) site theme, and your website can become an entry point for a massive malware infection.

What most people don’t realize is how sophisticated and, frankly, user-friendly the tools used for cyberattacks can be. In this article, I’ve included a 10-minute video by the fine folks at Wordfence (a WordPress security firm) that shows how a typical WordPress site can be infected by just two lines of scripting code.

Once those two lines of code execute, they install a complete hacking toolkit that contains 43 separate hacking tools that the hackers can use to further compromise the server. As the video shows, these tools are often browser-based, and work like any other browser-based app.

According to a blog post by Wordfence, after analyzing a recently hacked site, they found what they called a hacking platform, which contained the following tools:

Complete attack shells that let [hackers] manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.

The following video is only ten minutes long, but it shows you just how accessible hacking tools have become. With tools and hacking platforms like these, it might take attackers no more than about ten minutes to gain a complete hold on your site.

This video illustrates why it’s just so important to update your sites, plugins, and themes frequently. Hackers who discover vulnerabilities can use them to get inside your site. Once they do, they can use your site as a malware delivery platform that can help them breach other sites and organizations.

Security researchers say they have uncovered previously unknown attacks on routers which direct traffic around the internet, allowing hackers to harvest vast amounts of data while going undetected by existing cybersecurity defences.

The attacks replace the operating system used in network equipment from Cisco, the world’s biggest maker of routers, the computer forensic arm of US security research firm FireEye, Mandiant, said on Tuesday.

So far, Mandiant has found 14 instances of router implants in India, Mexico, Philippines and Ukraine, the company said in a blog post.

Separately, Cisco confirmed that it had alerted customers to these attacks on Cisco operating system software platforms.

The company said that it had worked with Mandiant to develop ways for customers detect the attack, which if found, will require them to re-image the software used to control their routers.

“If you own [seize control of] the router, you own the data of all the companies and government organisations that sit behind that router,” FireEye chief executive Dave DeWalt said of his company’s discovery.

Routers operate outside the perimeter of firewalls, anti-virus and other security tools which organisations around the world use to safeguard data traffic.

Effectively, the $US80 billion which technology market research firm IDC estimates is spent annually on cybersecurity tools offer no protection against this form of attack, according to FireEye.

The malicious program has been dubbed “SYNful”, a reference to how the implanted software can jump from router to router using their syndication functions.

Computer logs from infected routers suggest the attacks have been taking place for at least a year, FireEye’s DeWalt said.

Cisco said SYNful did not take advantage of any vulnerability in its own software. Instead it stole valid network administration credentials from organisations targeted in the attacks or by gaining physical access to their routers.

The affected routers have been used to hit multiple industries and government agencies, DeWalt said.

The implanted software, which duplicates normal router functions, could also potentially affect routers from other makers, he said.

Moscow-based KAspersky Lab is one of the biggest antivirus companies in the world. Photo: Reuters

Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.

They said the secret campaign targeted Microsoft, AVG, Avast and other rivals, fooling some of them into deleting or disabling important files on their customers’ PCs.

Some of the attacks were ordered by Kaspersky Lab’s co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said.

“Eugene considered this stealing,” said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation.Kaspersky Lab strongly denied that it had tricked competitors into categorising clean files as malicious, so-called false positives.

“Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing,” Kaspersky said in a statement to Reuters. “Such actions are unethical, dishonest and their legality is at least questionable.”

Executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years. When contacted this week, they had no comment on the allegation that Kaspersky Lab had targeted them.

Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software

The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients. Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran’s nuclear program in 2009 and 2010.

The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky’s selection of competitors to sabotage.

“It was decided to provide some problems” for rivals, said one ex-employee. “It is not only damaging for a competing company but also damaging for users’ computers.”

The former Kaspersky employees said company researchers were assigned to work for weeks or months at a time on the sabotage projects.

Their chief task was to reverse-engineer competitors’ virus detection software to figure out how to fool them into flagging good files as malicious, the former employees said.

The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other’s virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google’s VirusTotal.

By sharing all this data, security companies could more quickly identify new viruses and other malicious content. But the collaboration also allowed companies to borrow heavily from each other’s work instead of finding bad files on their own.

Kaspersky Lab in 2010 complained openly about copycats, calling for greater respect for intellectual property as data-sharing became more prevalent.

In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious. VirusTotal aggregates information on suspicious files and shares them with security companies.

Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky’s lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010.

When Kaspersky’s complaints did not lead to significant change, the former employees said, it stepped up the sabotage.

Injecting bad code

In one technique, Kaspersky’s engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.

Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.

VirusTotal had no immediate comment.

In its response to written questions from Reuters, Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an “unknown third party” manipulated Kaspersky into misclassifying files from Tencent , Mail.ru and the Steam gaming platform as malicious.

The extent of the damage from such attacks is hard to assess because antivirus software can throw off false positives for a variety of reasons, and many incidents get caught after a small number of customers are affected, security executives said.

The former Kaspersky employees said Microsoft was one of the rivals that were targeted because many smaller security companies followed the Redmond, Washington-based company’s lead in detecting malicious files. They declined to give a detailed account of any specific attack.

Microsoft’s antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in “quarantine.”

Batchelder said it took him roughly six hours to figure out that the printer code looked a lot like another piece of code that Microsoft had previously ruled malicious. Someone had taken a legitimate file and jammed a wad of bad code into it, he said. Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well.

Over the next few months, Batchelder’s team found hundreds, and eventually thousands, of good files that had been altered to look bad. Batchelder told his staff not to try to identify the culprit.

“It doesn’t really matter who it was,” he said. “All of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed.”

In a subsequent interview last week, Batchelder declined to comment on any role Kaspersky may have played in the 2013 printer code problems or any other attacks. Reuters has no evidence linking Kaspersky to the printer code attack.

As word spread in the security industry about the induced false positives found by Microsoft, other companies said they tried to figure out what went wrong in their own systems and what to do differently, but no one identified those responsible.

At Avast, a largely free antivirus software maker with the biggest market share in many European and South American countries, employees found a large range of doctored network drivers, duplicated for different language versions.

Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and “wanted to have some fun” at the industry’s expense. He did not respond to a request for comment on the allegation that Kaspersky had induced false positives.

Waves of attacks

The former employees said Kaspersky Lab manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013.

It is not clear if the attacks have ended, though security executives say false positives are much less of a problem today.

That is in part because security companies have grown less likely to accept a competitor’s determinations as gospel and are spending more to weed out false positives.

AVG’s former chief technology officer, Yuval Ben-Itzhak, said the company suffered from troves of bad samples that stopped after it set up special filters to screen for them and improved its detection engine.

“There were several waves of these samples, usually four times per year. This crippled-sample generation lasted for about four years. The last wave was received at the beginning of the year 2013,” he told Reuters in April.

AVG’s chief strategy officer, Todd Simpson, declined to comment.

Kaspersky said it had also improved its algorithms to defend against false virus samples. It added that it believed no antivirus company conducted the attacks “as it would have a very bad effect on the whole industry.”

“Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted,” Kaspersky said.

The Federal Financial Institutions Examination Council issued two statements about ways that financial institutions can identify and mitigate cyber attacks that compromise user credentials or use destructive software.

The statements do not contain any new regulatory expectations, but are intended to alert financial institutions to specific risk mitigation related to the threats associated with destructive malware.

In addition, the Exam Council provided information on what institutions can do to prepare for and respond to these threats.

Cyber attacks have increased in frequency and severity over the past two years. The attacks often involve the theft of credentials used by customers, employees, and third parties to authenticate themselves when accessing business applications and systems.

Cyber criminals can use stolen credentials to commit fraud or identity theft; modify and disrupt information system; and obtain, destroy, or corrupt data.

Also, cyber criminals often introduce malware to business systems through e-mail attachments, connecting infected external devices, such as USB drives, to computers or networks, or by introducing the malware directly onto the business systems using compromised credentials.

If you thought wiping your mobile phone once to delete its contents, or having a passcode to protect it from prying eyes was enough, think again.

Meet the ultimate mobile phone data extractor, a $40,000 Israeli-made machine manufactured by Cellebrite and used by private investigator Navid Sobbi’s business National Surveillance and Intelligence and numerous law-enforcement agencies around the word.

The machine can crack passwords and extract varying degrees of data from almost every smartphone on the market bar a number of Blackberry models and the iPhone 5 and above. Photos, texts, locations and more can be extracted from the phone’s memory even if previously wiped.

Navid connects an iPhone up to a laptop to begin examination of the data recovered. Photo: Tessa Stevens

In total, the device claims to be able to extract varying degrees of data from about 8000 phone models. Newer iPhones are not susceptible to the password cracking because Apple’s encryption methods have improved over time, but most phones are still able to have their data extracted if the password is provided, Mr Sobbi said.

“If it’s a smartphone such as Android or Apple we can get absolutely everything,” he said.

The Cellebrite system has a cable for every phone on the market. Photo: Tessa Stevens

Often data from mobile phones is used to corroborate or disprove theories in criminal trials.

In one recent case, US forensic investigators looked at data stored on murder suspect Pedro Bravo’s smartphone to infer he used the phone’s flashlight when he buried the body of a former friend in a remote wooded area. Bravo was later found guilty of the murder.

Mr Sobbi said most phones were “easy” to get into.

The Cellebrite system can extract data from a variety of phones. Photo: Tessa Stevens

He said the could bypass an iPhone 4 passcode and get into the phone “within about five minutes”.

Some Android phones, such as the HTC One, were also easy to crack but piecing the data together was a time consuming task. Blackberrys for example were “extremely hard to get into”, he said.

Based in Sydney, Mr Sobbi has worked with NSW Police on criminal matters and also in tendering evidence for family court cases. He has also assisted with corporate leak investigations, where employees have taken a company’s intellectual property to a competitor.

Those that have accidentally deleted data – like family photos – also go to him for help and in about 90 to 95 per cent of cases he has been able to successfully retrieve the data.

“But it all comes down to how the phone is used,” he said. “So if, for example, the phone has been factory-reset a number of times or damaged, then our success rate is a lot less.”

After using the Cellebrite tool for several years, Mr Sobbi said it was most surprising it could get location data even when a phone’s GPS was turned off.

“We’ve noticed that [some phones] still store probably every 15 minutes or once every hour … a location of where the device is,” Mr Sobbi said.

“Even if [location is] off in the GPS option, it might store it from the cell tower option.”

He advised people to wipe their phones several times before selling or disposing of them.

“When a consumer wants to change their phone or just wants to give their phone to someone else, the best thing to do is at least restore it back to factory settings a minimum of about five times.

“The more you do that the harder it becomes for the forensic examiner to recover the data.”

He said he could also extract data from tablets and computer hard drives.

Although many law-enforcement agencies praise the Cellebrite system, not everyone is happy.

The American Civil Liberties Union of Michigan has previously expressed concern about how its state police force has used the gadget, saying it can “quickly download data from cell phones without the owner of the cell phone knowing it”.

Image-recognition software uplifts results in web searches

HANOVER, N.H. – Dartmouth researchers and their colleagues have created an artificial intelligence software that uses photos to locate documents on the Internet with far greater accuracy than ever before.

The new system, which was tested on photos and is now being applied to videos, shows for the first time that a machine learning algorithm for image recognition and retrieval is accurate and efficient enough to improve large-scale document searches online. The system uses pixel data in images and potentially video – rather than just text — to locate documents. It learns to recognize the pixels associated with a search phrase by studying the results from text-based image search engines. The knowledge gleaned from those results can then be applied to other photos without tags or captions, making for more accurate document search results.

The findings appear in the journal PAMI (IEEE Transactions on Pattern Analysis and Machine Intelligence).

“Images abound on the Internet and our approach means they’ll no longer be ignored during document retrieval,” says Associate Professor Lorenzo Torresani, a co-author of the study. “Over the last 30 years, the Web has evolved from a small collection of mostly text documents to a modern, gigantic, fast-growing multimedia dataset, where nearly every page includes multiple pictures or videos. When a person looks at a Web page, she immediately gets the gist of it by looking at the pictures in it. Yet, surprisingly, all existing popular search engines, such as Google or Bing, strip away the information contained in the photos and use exclusively the text of Web pages to perform the document retrieval. Our study is the first to show that modern machine vision systems are accurate and efficient enough to make effective use of the information contained in image pixels to improve document search.”

The researchers designed and tested a machine vision system – a type of artificial intelligence that allows computers to learn without being explicitly programmed — that extracts semantic information from the pixels of photos in Web pages. This information is used to enrich the description of the HTML page used by search engines for document retrieval. The researchers tested their approach using more than 600 search queries on a database of 50 million Web pages. They selected the text-retrieval search engine with the best performance and modified it to make use of the additional semantic information extracted by their method from the pictures of the Web pages. They found that this produced a 30 percent improvement in precision over the original search engine purely based on text. The new system was developed by researchers at Dartmouth College, Tecnalia Research & Innovation and Microsoft Research Cambridge.